Upstream information

CVE-2023-22647 at MITRE

Description

An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local
cluster, resulting in the secret being deleted, but their read-level
permissions to the secret being preserved. When this operation was
followed-up by other specially crafted commands, it could result in the
user gaining access to tokens belonging to service accounts in the local cluster.


This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.

Upstream Security Advisories:

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having critical severity.

CVSS v3 Scores
  CNA (SUSE) National Vulnerability Database SUSE
Base Score 9.9 8 9.9
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network Adjacent Network Network
Attack Complexity Low Low Low
Privileges Required Low Low Low
User Interaction None None None
Scope Changed Unchanged Changed
Confidentiality Impact High High High
Integrity Impact High High High
Availability Impact High High High
CVSSv3 Version 3.1 3.1 3.1
SUSE Bugzilla entry: 1210527 [RESOLVED / FIXED]

SUSE Security Advisories:


First public cloud image revisions this CVE is fixed in:


SUSE Timeline for this CVE

CVE page created: Mon Apr 17 15:00:06 2023
CVE page last modified: Mon Nov 18 14:11:36 2024